As an administrator, you can set the local administrative permissions level a user can have on their Microsoft Windows 10 devices. For example, you can allow limited control or full access. This permission level is granted to the Windows account that's associated with a user's Google Account, not to a user's Google Account.
You can also provide administrative permissions to other existing Windows accounts. These accounts can be local to the device or Active Directory users and groups, even if they haven't yet signed in to the device.
Requirements
- To set administrative permissions for the user's account, the device must have Google Credential Provider for Windows (GCPW) installed on it and be under Windows device management.
- To give administrative permissions to other existing Windows accounts, the device must be under Windows device management.
Set administrative permissions
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Devices
Mobile and endpoints
- Click Account settings.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.
- Under Manage local administrative access to devices, select Enabled from the list of items.
- To set the user's account permissions (requires GCPW):
- Select Standard User to assign users standard accounts without administrative permissions. If you choose this option, enter at least one account in the Give local administrative access field (described in the next step). Otherwise, no accounts will be in the Local administrator group.
- Select Local Administrator to assign users local administrative permissions.
Windows limitations:
-
The user gets the Local Administrator permission level after they sign in to their device the second time after you assign the permission level.
-
Changing a user's permission level from Local Administrator to Standard User isn't supported on Windows 10, version 1803.
-
- Under Give local administrative access, enter existing Active Directory users, Active Directory groups, or local Windows user accounts that also get local administrative privileges. Use the following formats:
- Active Directory users: YourDomain\user
- Active Directory groups: YourDomain\group
- Local users: username
Separate values with commas. For example: YourDomain\Win10admins, YourDomain\jsmith, prayes, rnguyen
Important:
- If this field is blank, the existing Local Administrators group is cleared. If you set the user account type as Standard user, then no accounts have administrative access. If you set the user account type as Local administrator, then only the user has administrative access.
- If you enter an account that doesn't exist, a new account is not created on the device, no accounts are added to the Local Administrator group, and the existing Local Administrator group is cleared.
- Click Save. If you configured a child organizational unit, you might be able to Inherit or Override a parent organizational unit's settings.
Related topics
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.